PCI-DSS v4 Control Baseline for SUSE Linux enterprise 12
Rules and Groups employed by this XCCDF Profile
-
System Settings
Contains rules that check correct system settings.Group -
Installing and Maintaining Software
The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of s...Group -
System and Software Integrity
System and software integrity can be gained by installing antivirus, increasing system encryption strength with FIPS, verifying installed software,...Group -
Disable Prelinking
The prelinking feature changes binaries in an attempt to decrease their startup time. In order to disable it, change or add the following line insi...Rule Medium Severity -
Software Integrity Checking
Both the AIDE (Advanced Intrusion Detection Environment) software and the RPM package management system provide mechanisms for verifying the integr...Group -
Verify Integrity with RPM
The RPM package management system includes the ability to verify the integrity of installed packages by comparing the installed files with informat...Group -
Verify File Hashes with RPM
Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package m...Rule High Severity -
Verify and Correct Ownership with RPM
The RPM package management system can check file ownership permissions of installed software packages, including many that are important to system ...Rule High Severity -
Verify and Correct File Permissions with RPM
The RPM package management system can check file access permissions of installed software packages, including many that are important to system sec...Rule High Severity -
Verify Integrity with AIDE
AIDE conducts integrity checks by comparing information about files with previously-gathered information. Ideally, the AIDE database is created imm...Group -
Install AIDE
Theaidepackage can be installed with the following command:$ sudo zypper install aide
Rule Medium Severity -
Build and Test AIDE Database
Run the following command to generate a new database: <pre>$ sudo /usr/bin/aide --init</pre> By default, the database will be written to the file...Rule Medium Severity -
Configure Periodic Execution of AIDE
At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line t...Rule Medium Severity -
System Cryptographic Policies
Linux has the capability to centrally configure cryptographic polices. The command <code>update-crypto-policies</code> is used to set the policy ap...Group -
Configure Libreswan to use System Crypto Policy
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Libreswan is supported by system crypto policy, but th...Rule High Severity -
Configure OpenSSL library to use System Crypto Policy
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSL is supported by crypto policy, but the OpenSSL...Rule Medium Severity -
Configure SSH to use System Crypto Policy
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. SSH is supported by crypto policy, but the SSH configu...Rule Medium Severity -
Endpoint Protection Software
Endpoint protection security software that is not provided or supported by Red Hat can be installed to provide complementary or duplicative secur...Group -
Install Intrusion Detection Software
The base SUSE Linux Enterprise 12 platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux, ...Rule High Severity -
McAfee Endpoint Security Software
In DoD environments, McAfee Host-based Security System (HBSS) and VirusScan Enterprise for Linux (VSEL) is required to be installed on all systems.Group -
McAfee Host-Based Intrusion Detection Software (HBSS)
McAfee Host-based Security System (HBSS) is a suite of software applications used to monitor, detect, and defend computer networks and systems.Group -
Install the Host Intrusion Prevention System (HIPS) Module
Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely necessary. If SELinux is enabled, do not install or enable th...Rule Medium Severity -
GNOME Desktop Environment
GNOME is a graphical desktop environment bundled with many Linux distributions that allow users to easily interact with the operating system graphi...Group -
Make sure that the dconf databases are up-to-date with regards to respective keyfiles
By default, DConf uses a binary database as a data backend. The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by ...Rule High Severity -
Configure GNOME Screen Locking
In the default GNOME3 desktop, the screen can be locked by selecting the user name in the far right corner of the main panel and selecting <b>Lock<...Group -
Enable GNOME3 Screensaver Idle Activation
To activate the screensaver in the GNOME3 desktop after a period of inactivity, add or set <code>idle-activation-enabled</code> to <code>true</code...Rule Medium Severity -
Set GNOME3 Screensaver Inactivity Timeout
The idle time-out value for inactivity in the GNOME3 desktop is configured via the <code>idle-delay</code> setting must be set under an appropriate...Rule Medium Severity -
Enable GNOME3 Screensaver Lock After Idle Period
To activate locking of the screensaver in the GNOME3 desktop when it is activated, run the following command to configure the SUSE operating syste...Rule Medium Severity -
Implement Blank Screensaver
On SUSE users should set the screensaver to use publicly viewable images or blank screen by doing the following: Find the Settings menu and then...Rule Medium Severity -
Ensure Users Cannot Change GNOME3 Session Idle Settings
If not already configured, ensure that users cannot change GNOME3 session idle settings by adding <code>/org/gnome/desktop/session/idle-delay</code...Rule Medium Severity -
Updating Software
The <code>zypper</code> command line tool is used to install and update software packages. The system also provides a graphical software update too...Group -
Ensure gpgcheck Enabled In Main zypper Configuration
The <code>gpgcheck</code> option controls whether RPM packages' signatures are always checked prior to installation. To configure zypper to check p...Rule High Severity -
Ensure gpgcheck Enabled for All zypper Package Repositories
To ensure signature checking is not disabled for any repos, remove any lines from files in <code>/etc/yum.repos.d</code> of the form: <pre>gpgcheck...Rule High Severity -
Ensure SUSE GPG Key Installed
To ensure the system can cryptographically verify base software packages come from SUSE (and to connect to the SUSE to receive them), the SUSE GPG ...Rule High Severity -
Ensure Software Patches Installed
If the system is configured for online updates, invoking the following command will list available security updates: <pre>$ sudo zypper refresh &a...Rule Medium Severity -
Account and Access Control
In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which...Group -
Protect Accounts by Configuring PAM
PAM, or Pluggable Authentication Modules, is a system which implements modular authentication for Linux programs. PAM provides a flexible and confi...Group -
Ensure PAM Displays Last Logon/Access Notification
To configure the system to notify users of last logon/access using <code>pam_lastlog</code>, add or correct the <code>pam_lastlog</code> settings i...Rule Low Severity -
Set Lockouts for Failed Password Attempts
The <code>pam_faillock</code> PAM module provides the capability to lock out user accounts after a number of failed login attempts. Its documentati...Group -
Limit Password Reuse
Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_unix</code> or <...Rule Medium Severity -
Set Deny For Failed Password Attempts
The SUSE Linux Enterprise 12 operating system must lock an account after - at most - <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xcc...Rule Medium Severity -
Set Lockout Time for Failed Password Attempts using pam_tally2
This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using <code>pam_tall...Rule Medium Severity -
Set Password Hashing Algorithm
The system's default algorithm for storing password hashes in/etc/shadowis SHA-512. This can be configured in several locations.Group -
Set PAM's Common Authentication Hashing Algorithm
The PAM system service can be configured to only store encrypted representations of passwords. In <code>/etc/pam.d/common-auth</code>, the <code>au...Rule Medium Severity -
Set Password Hashing Algorithm in /etc/libuser.conf
In <code>/etc/libuser.conf</code>, add or correct the following line in its <code>[defaults]</code> section to ensure the system will use the SHA-5...Rule Medium Severity -
Set Password Hashing Algorithm in /etc/login.defs
In <code>/etc/login.defs</code>, add or correct the following line to ensure the system will use <xccdf-1.2:sub idref="xccdf_org.ssgproject.content...Rule Medium Severity -
Set PAM''s Password Hashing Algorithm
The PAM system service can be configured to only store encrypted representations of passwords. In "/etc/pam.d/common-password", the <code>password<...Rule Medium Severity -
Protect Physical Console Access
It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be co...Group -
Configure Screen Locking
When a user must temporarily leave an account logged-in, screen locking should be employed to prevent passersby from abusing the account. User educ...Group -
Hardware Tokens for Authentication
The use of hardware tokens such as smart cards for system login provides stronger, two-factor authentication than using a username and password. I...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.